...

Source file src/k8s.io/kubernetes/cmd/kubeadm/test/kubeconfig/util.go

Documentation: k8s.io/kubernetes/cmd/kubeadm/test/kubeconfig 

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package kubeconfig
    18  
    19  import (
    20  	"crypto/x509"
    21  	"encoding/pem"
    22  	"testing"
    23  
    24  	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
    25  
    26  	certstestutil "k8s.io/kubernetes/cmd/kubeadm/app/util/certs"
    27  )
    28  
    29  // AssertKubeConfigCurrentCluster is a utility function for kubeadm testing that asserts if the CurrentCluster in
    30  // the given KubeConfig object contains refers to a specific cluster
    31  func AssertKubeConfigCurrentCluster(t *testing.T, config *clientcmdapi.Config, expectedAPIServerAddress string, expectedAPIServerCaCert *x509.Certificate) {
    32  	currentContext := config.Contexts[config.CurrentContext]
    33  	currentCluster := config.Clusters[currentContext.Cluster]
    34  
    35  	// Assert expectedAPIServerAddress
    36  	if currentCluster.Server != expectedAPIServerAddress {
    37  		t.Errorf("kubeconfig.currentCluster.Server is [%s], expected [%s]", currentCluster.Server, expectedAPIServerAddress)
    38  	}
    39  
    40  	// Assert the APIServerCaCert
    41  	if len(currentCluster.CertificateAuthorityData) == 0 {
    42  		t.Error("kubeconfig.currentCluster.CertificateAuthorityData is empty, expected not empty")
    43  		return
    44  	}
    45  
    46  	block, _ := pem.Decode(currentCluster.CertificateAuthorityData)
    47  	currentAPIServerCaCert, err := x509.ParseCertificate(block.Bytes)
    48  	if err != nil {
    49  		t.Errorf("kubeconfig.currentCluster.CertificateAuthorityData is not a valid CA: %v", err)
    50  		return
    51  	}
    52  
    53  	if !currentAPIServerCaCert.Equal(expectedAPIServerCaCert) {
    54  		t.Errorf("kubeconfig.currentCluster.CertificateAuthorityData not correspond to the expected CA cert")
    55  	}
    56  }
    57  
    58  // AssertKubeConfigCurrentAuthInfoWithClientCert is a utility function for kubeadm testing that asserts if the CurrentAuthInfo in
    59  // the given KubeConfig object contains a clientCert that refers to a specific client name, is signed by the expected CA, includes the expected organizations
    60  func AssertKubeConfigCurrentAuthInfoWithClientCert(t *testing.T, config *clientcmdapi.Config, signinCa *x509.Certificate, expectedClientName string, expectedOrganizations ...string) {
    61  	currentContext := config.Contexts[config.CurrentContext]
    62  	currentAuthInfo := config.AuthInfos[currentContext.AuthInfo]
    63  
    64  	// assert clientCert
    65  	if len(currentAuthInfo.ClientCertificateData) == 0 {
    66  		t.Error("kubeconfig.currentAuthInfo.ClientCertificateData is empty, expected not empty")
    67  		return
    68  	}
    69  
    70  	block, _ := pem.Decode(config.AuthInfos[currentContext.AuthInfo].ClientCertificateData)
    71  	currentClientCert, err := x509.ParseCertificate(block.Bytes)
    72  	if err != nil {
    73  		t.Errorf("kubeconfig.currentAuthInfo.ClientCertificateData is not a valid CA: %v", err)
    74  		return
    75  	}
    76  
    77  	// Asserts the clientCert is signed by the signinCa
    78  	certstestutil.AssertCertificateIsSignedByCa(t, currentClientCert, signinCa)
    79  
    80  	// Asserts the clientCert has ClientAuth ExtKeyUsage
    81  	certstestutil.AssertCertificateHasClientAuthUsage(t, currentClientCert)
    82  
    83  	// Asserts the clientCert has expected expectedUserName as CommonName
    84  	certstestutil.AssertCertificateHasCommonName(t, currentClientCert, expectedClientName)
    85  
    86  	// Asserts the clientCert has expected Organizations
    87  	certstestutil.AssertCertificateHasOrganizations(t, currentClientCert, expectedOrganizations...)
    88  }
    89  
    90  // AssertKubeConfigCurrentAuthInfoWithToken is a utility function for kubeadm testing that asserts if the CurrentAuthInfo in
    91  // the given KubeConfig object refers to expected token
    92  func AssertKubeConfigCurrentAuthInfoWithToken(t *testing.T, config *clientcmdapi.Config, expectedClientName, expectedToken string) {
    93  	currentContext := config.Contexts[config.CurrentContext]
    94  	currentAuthInfo := config.AuthInfos[currentContext.AuthInfo]
    95  
    96  	// assert token
    97  	if currentAuthInfo.Token != expectedToken {
    98  		t.Errorf("kubeconfig.currentAuthInfo.Token [%s], expected [%s]", currentAuthInfo.Token, expectedToken)
    99  		return
   100  	}
   101  }
   102  
   103  // AssertKubeConfigCurrentContextWithClusterName is a utility function for kubeadm testing that asserts if the Current Cluster config in
   104  // the given KubeConfig object refers to expected cluster name
   105  func AssertKubeConfigCurrentContextWithClusterName(t *testing.T, config *clientcmdapi.Config, expectedClusterName string) {
   106  	currentContext := config.Contexts[config.CurrentContext]
   107  
   108  	// assert cluster name
   109  	if currentContext.Cluster != expectedClusterName {
   110  		t.Errorf("kubeconfig.currentContext.clusterName [%s], expected [%s]", currentContext.Cluster, expectedClusterName)
   111  		return
   112  	}
   113  }
   114  

View as plain text